INFORMATION ABOUT DATA PROTECTION AT OTOKAR EUROPE
#1 Who is the controller of processing operations on your data?
Pursuant to the General Data Protection Regulation ("GDPR"), Otokar Europe SAS, identified under number 534 167 796 on the Pontoise Register of Trade and Companies (hereafter referred to as "Otokar Europe" and/or "we" and/or "us"), is the controller of the processing of your personal data.
Otokar Europe imports and distributes Otokar public service vehicles and spare parts for those vehicles through its network of distributors in France and Europe. Otokar Europe authorises and obliges the approved distributors, service locations and repairers who are members of its network (hereafter referred to as "Otokar Europe partners" if no differentiation is required) to offer support and customer service in technical and non-technical fields to existing and potential customers. Otokar Europe manages the www.otokareurope.com web site, while promoting the Otokar brand in France and Europe.
Unless otherwise stated, Otokar Europe partners are legally and financially independent companies and are not part of Otokar Europe. They use the Otokar brand in their capacity as licensees authorised to sell public service vehicles, OEM parts and maintenance and repair services under said brand.
Otokar Europe is the data controller for all of your personal data processed through the aforementioned web site, your MyOtokar application and your correspondence with the Otokar After-Sales Department (hereafter referred to collectively as Otokar Europe "Customer Service"), and as part of electronic or postal direct marketing actions.
Otokar Europe might also process your data when they are transferred by Otokar partners, in accordance with the legal requirements relating to data protection. The Otokar Europe partners are the controllers of the processing of the personal data that you supply to them as part of the sales and service activities that they offer (repairs, servicing, etc.).
The Otokar Europe partners also process your data when they are transferred by Otokar Europe, in accordance with the applicable regulations. This information relating to data protection also describes some of the processing performed by Otokar Europe partners. However, the Otokar Europe partners might collect other personal data referred to in their own data protection information documents. In this case, you can approach those Otokar Europe partners to find out how they use your personal data.
#2 - When does Otokar Europe collect and use the personal data?
Otokar Europe collects and processes your personal data in the following situations in particular:
- When you contact us directly (through our web site or the Otokar Europe Sales Department, for example), for questions relating to our products and services, or other questions;
- When you purchase an Otokar vehicle;
- When you subscribe to services (MyOtokar application, etc.) from Otokar Europe;
- When you request information from us about our vehicles and services (sending brochures, for example);
- When you respond to our marketing actions (for example sending an email or communicating your data on our web site (www.otokareurope.com));
- When third parties or Otokar Europe partners transmit your personal data to us, in accordance with current regulations (for example, you have given your consent or have not objected to the transmission of your data to Otokar Europe having been informed of your right to object, for customer management purposes (e.g. to identify you if you contact the Otokar Europe After-Sales Department);
- When data relating to your vehicle (including the chassis number) are transmitted to us as part of services and maintenance/repairs performed by Otokar Europe partners;
- When third parties (approved address providers, for example) are lawfully entitled to transmit your personal data to us.
So that we can keep your personal data up to date, please inform us of any changes in this regard, particularly relating to your contact details.
#3 - What personal data do we collect?
The categories of personal data that might be collected through the various services and communication channels described in the data protection information are as follows:
- Contact details: surname, first name, company name, address, telephone number, email address.
- Other personal data: information that you have provided regarding, for example, your position in your company, etc.
- Contractual data: for example, customer number, contract number, Otokar services subscribed to.
- On-line account data: information about your accounts associated with MyOtokar, for example.
- Data about transactions and interactions: information relating to purchases of products and services, interactions with Otokar Europe Customer Service (requests, claims) and Otokar Europe partners, and your participation in quality and/or satisfaction surveys.
- Use of Otokar services and applications: information relating to your use of the Otokar application (on your mobile device) and the MyOtokar services.
- Vehicle technical data: any data created and/or processed in the vehicle.
#4 – What is the purpose of the processing of your data by Otokar Europe?
Otokar Europe only processes your data if such processing is authorised by applicable regulations. In particular, we process your data in accordance with the GDPR in the following situations. Please note that this list is neither exhaustive nor definitive; these are simply examples to give an indication of the use cases and types of data that might be collected and processed.
Otokar Europe and its approved dealer and service location partners use your personal data to manage contracts (for example vehicle orders, repair/workshop orders, subscriptions to Otokar services) or any request made by you (for example offers, tests). With regard to requests by you, Otokar Europe may contact you without your express consent so that your request can be dealt with.
Otokar Europe might also need to contact you if your Otokar vehicle is subject to a service or recall campaign. If necessary, given the highly important nature of such campaigns (preventing risk to the vehicle's passengers, damage to the vehicle, etc.), Otokar Europe will contact you either directly or through one of its approved dealers or service locations, using the contact details that you have given us, in order to comply with its legal obligation to inform.
In addition, Otokar Europe may also contact you in carefully defined situations, for marketing or sales purposes. This includes for example:
• during sales prospecting operations (product and service offers, etc.);
• in a personalised way based on your customer profile;
• for satisfaction surveys;
• to inform you of the end of a warranty or service contract;
• to make you an offer relating to your vehicle (testing, etc.);
Otokar Europe undertakes, if applicable, to issue these communications in accordance with the legal requirements relating to data protection.
Otokar Europe also processes your personal data in order to provide you with the best possible experience of its various services (by identifying you correctly at all points of contact, for example).
Type of data that might be collected and processed:
- Surname and first name, company name, postal address, email address, telephone number;
- Current and/or preferred Otokar dealer;
- Vehicle chassis number and other corresponding characteristics;
- Identification data, particularly customer number and contract number;
- Customer history, particularly data relating to the purchase of the Otokar vehicle (model, configuration, purchase date, date of first registration, purchase order date, delivery date, owner, etc.);
- History of campaigns and responses (customer service scheme - current and potential customers - and direct marketing actions);
- Attendance at trade shows and/or events;
- History of questions and claims directed at the Otokar Europe After-Sales Department;
- Data from applications/web sites/social networks.
Transfer of your data to third parties
Your data may be transferred, in complete accordance with the applicable personal data protection regulations, to carefully selected service providers and partners with whom we cooperate to offer you products and services. We only perform this transfer in strict compliance with the conditions governing processing by a processor set out in the GDPR.
#5 - How does Otokar Europe protect your personal data?
Otokar Europe and, if applicable, its duly selected partner processors, implement several security measures such as cutting-edge encryption and authentication tools to protect and preserve the security, integrity and availability of your data. While it is impossible to guarantee absolute security against unauthorised access during the transfer of data over the Internet or on a web site, Otokar Europe, its service providers and partners do all they can to protect your personal data in accordance with the applicable data protection regulations, by implementing cutting-edge physical, electronic and process-oriented security measures. The measures applied include the following:
- Strict criteria for authorising access to your data on a "need to know" basis (restricted to as few people as possible) and solely for the intended purposes;
- Transfer of the data collected in encrypted form in the majority of cases;
- Firewall protection of computer systems to protect them against unauthorised access, by hackers for example;
- Constant monitoring of access to computer systems to detect and prevent the misuse of personal data.
If you receive a password from Otokar Europe or if you have chosen one yourself to access certain services, areas of our web site or other portals or applications offered by our brand, you are responsible for keeping such password confidential and complying with all other security procedures of which you are informed. We particularly ask that you never disclose your password.
#6 - How long do we store your data for?
In accordance with GDPR Article 17, we only store your data for the period necessary for the purposes for which we process them. If data are processed for different purposes, your data are automatically erased, or stored in a format that does not make it possible to draw direct conclusions about you, as soon as the last task and specific purpose has been fulfilled. To guarantee that all of your data are erased in accordance with the principle of data minimisation and GDPR Article 17, Otokar Europe has created an internal erasure concept. The fundamental principles according to which this erasure concept provides for the erasure of your data are described below.
Use for the purposes of compliance with a contract
In order to fulfil contractual obligations, the data collected from you may be stored for the entire term of the contract and, depending on the nature and scope of the contract, for a specified period after such term in order to fulfil the applicable storage obligations and enable us to respond to any questions or claims arising after the term of the contract.
In addition, some product and service supply contracts require a longer storage period; see also "Use for assessing claims" below.
Use for assessing claims
Data that, according to Otokar Europe, are necessary for assessing and avoiding claims against us or for bringing criminal proceedings or making claims against you, against us or against any third party, may be stored by us for the entire period during which the corresponding proceedings may be brought.
Use for customer service and marketing purposes
For both Customer Service and sales prospecting purposes, the data collected from you may be stored for three years following the end of any commercial relationship, unless you request that they be erased and provided that there is no contractual or legal storage obligation that prevents the fulfilment of said request.
#7 - Your rights relating to the protection of your data
As the data subject concerned by the processing of your data, you are entitled to exercise certain rights set out by the GDPR and other applicable data protection regulations, including the following:
Right to access your data (GDPR - Art. 15):
You can request access to your personal data stored by Otokar Europe at any time. This information includes the categories of data we process, the purposes of the processing, the source of the data when we have not collected them directly from you and, if applicable, the recipients to whom we disclose your data. You may receive a copy of your data free of charge on request. We reserve the right to invoice any requests for additional copies.
Right to rectification (GDPR - Art. 16):
You may request that Otokar Europe rectify the personal data concerning you. We take all reasonable action to keep the data that we hold about you up to date, and we process them lawfully, accurately, fully, in their updated form and relevantly on the basis of the most up-to-date information available to us.
Right to be forgotten (GDPR - Art. 17):
You may request the erasure of your data provided that the legal prerequisites have been satisfied.
• The data are no longer necessary in relation to the purposes for which they were collected or otherwise processed,
• You withdraw your consent, where there is no other legal ground for the processing of the data,
• You object to the processing of your data and there are no overriding legitimate grounds for the processing, or you object to the processing of your data for prospecting purposes,
• The data have been unlawfully processed.
Unless the processing is necessary:
• For compliance with a legal obligation that requires that we store and process your data, subject to application of the storage periods required by the applicable regulations,
• For the establishment, exercise or defence of legal claims.
• French Data Protection Act of 6 January 1978, Art. 32: You also have the right to give instructions regarding what happens to your personal data after your death.
Right to restriction of processing (GDPR – Art. 18):
You may request the restriction of processing of your data in the following cases:
• You contest the accuracy of the data. The subsequent processing of the data is restricted for a period enabling verification of the accuracy thereof,
• The processing is unlawful and you oppose the erasure of your data. You request the restriction of their use instead,
• Otokar Europe no longer needs your data, but you require them for the establishment, exercise or defence of legal claims,
• You have objected to the processing pending verification of whether the legitimate grounds of Otokar Europe override yours.
Right to data portability (GDPR - Art. 20):
You may request that your personal data be transmitted to another data controller where technically feasible. However, you are only granted this right if the processing of the data is based on your consent or necessary for the performance of a contract. Instead of receiving a copy of your data, you can also request that Otokar Europe transmit them directly to another controller designated by you.
Right to object (GDPR - Art. 21):
You have the right to object, on grounds relating to you particular situation, at any time to processing of your personal data for the purposes of the legitimate interests of Otokar Europe or a third party. In this case, we will no longer process said data. This provision does not apply if we can demonstrate compelling legitimate grounds for the processing which override your interests or if we need your data for the establishment, exercise or defence of legal claims.
- What happens to your data after your death (French Data Protection Act of 6 January 1978, Art. 32):
You also have the right to give instructions regarding what happens to your personal data after your death.
- Response times following the exercising of the rights set out above:
We strive to respond to all requests within thirty days. However, this may take longer for reasons relating to the complexity of your request and the number of requests received.
- If we do not transmit your data:
In some situations, Otokar Europe might be unable to transmit all of your data due to a legal obligation. If we refuse your request for information in such an event, we will tell you the reason for refusal immediately.
- Recourse to the competent authorities: Otokar Europe takes your rights and concerns very seriously. However, if you feel that we have not responded to your claims, you are entitled to complain to the competent data protection authority.
#8 – Contacting us about your personal data
For any questions about our use of your personal data, please contact the Data Protection Officer:
Délégué à la Protection des Données
Otokar Europe SAS
24 rue du Noyer
Parc Les Scientifiques De Roissy Lot A-3 95700 Roissy-en-France